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The Details 



1 Abstract 

The invention describes a method In rcsturc data, which is stored in «i broken computer hardware device by 
transferring them partially or completely imo another hardware deviu: of same type. The stored data 
represents digital rights management, pay-per-use counter values oi .iceess-control tokens; in this document 
the word license is used for all these d<itd. These licenses are crea tad in i id owned) by different licensors 
(software development companies, document au rhors and publisher ofc.}. The user as owner of foe device 
typically buys these licenses by paying monuy to receive secret secjm - i .ces from the different licensors, who 
store sequentially all licenses into the hardware. In dependence or I he paid price, the sum of stored licenses 
represents a more or less high financial value. If Lho hardware dev jci< i.v broken or lost these licenses cannot 
be longer used; without a transfer of these licenses tn another hiudwiins device, the stored financial value is 
lost The method of the invention permits a restoring process oJ QV lit i -rises into anyjther hardware device. 
This restore is based on backup dat,i oinaidt; of the hardware device, typically %T^o3ffiniter data file. The 
license transfer is fully controlled by il w licensors as owners of the specific Xxc^e^T^iB^tDTe process is 
executed by the user via a single start operation activity f single click"). For this a 3pb WdflS^vlce is used, 
which delegates the recreation of tht- licenses via Restoring Web Scrviois iiltoijflie new h^jjMware device - 
security-specific for each license. An addil Umal technique named as hfrUng^^s thatg]ie restored (lost or 
broken) hardware device can be used ,my lunger concurrently lo Ihv dey^^ith th^s^tored licenses. 

1.1 Example ^ jf 



An example for such a device is the CM-Si K K this is a Ivirdware-paM i seg^ty and digital rights 
management controlling device, which is .nvailabf e At the U^feirm tartac 3> 

1.2 New Features . « 

The invention permits an easy-to-use partially or ruli^'rJestormg of licenses, which are stored in a hardware 
device in a manner, which is fully com nillt-U by W ficansorsrjels owners of the licenses. The reuse of the 
replaced hardware device is restricted. M ' »„JA* 

to .;. r" 

2 The Details 

2.1 How the Methjpctifrorrks 

The complete backup mechaiusir^is explained in the document f IJ. This document here describes only the 
core part of the invention. Jj$P j* ' 

The hardware device stp^ l fe k enses from clifferenl licensors. Each hVonse can only be created by the licensor 
as owner. The owxipr o|^i j hard^aro or Wl OU-SYSTEMS cannol slim nudi a license. No other licensor can 
store a license o£|2hyw^ere drajffl ihww- tt^trJctimui axe Handled hy n mix of aymmetric and asymmetric 
(public key) encr^tiDjS metjji^ a>rid by private keys. 

The stored licenses can bjTjskved by Hie user os owner of the hardware into a file. All price-relevant 
information is stored. This' mfbrmat ion is not enc^rpfced (except some special secret data) but signed 
individually for each license in dapenduna- of a secret key. delivered bv the licensor. The signing is done by 
a hash via the data which is encrypted by that secret key <md stored m f he file. The signature is also 
influenced by the Serial Number of flu* hardware device (which is unique) and by the current time (second 
based, hardware device internal), so that no time manipulation is possible. 

The user can, do this backup as frequently as he or she desires or how frequently it is required (For example 
after the counting information for pa y-per-nso is .reduced). 
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Appendix 

This backup file is not required until l hu hard wan: device is lost or brotan. Then the user buys a new 
(typically empty) hardware device, which r-Uuuld rereive and store all licenses (which must support 
restoring) from the broken hardware device. 

Then a software application outside oi iho (now u hmsiIsIu) hardwaw th-xdee sends the backup file as a 
sequence to the Hub Web Service by * single command form ti\e user f. single click"). This central Web 
Service knows die Restoring Web Service* of all licensors who rtupporii such a restore operation. The Hub 
Web Service analyses the received wquunco and sends each license, which supports the restoringr to the 
corresponding Restoring Web Service. These creale new sequences, compatible to die backup sequences, 
which are sent to the new hardware d«vk v. Thaf s why this device receives the new sequences horn 
different Restoring Web Services. 

2.2 Avoiding Use of "Lost" or "Broken" Devices 

To reduce the chance ihat a lost device cuo be reused after found atfdin or a broj^d'efltee can be reused 



after a repair or the user claims by chca tin* a lost or broken de^ico. vvl lich acfM^fej^the Locfdng 
Mechanism is introduced: fyT 
v The Central Web Service sets the Sori.il Number of Ihe backup Hie (resf^^sVbropn device) into a 
"black list". This list is available for ail Licensors viii a special Jtor WS|fe|oW S&rn&f 

v If a Licensor has to send any Remote* Activation Sequence to a hanjM dej^fiw Serial Number of 
this device is checked in this Validation Service. IF the Serial Nunib^laBs^aLoddngSeqiiencc^ 
immediately sent to the hardware devu-e which locks pexmom-nily aUsec^tty operations in ihis device. 

3 Advantages of the Inventiori^^ "State of the Art" 

Today hardware devices which contain values (moneyed, pay-p^r-use protection hardware) have 
typicallyno automatically working backup/ restore mechShisni. CVhcu such device is lost or broken, the -user 
wfll lost the stored financial value imiiM-diaUdy^d^efenanenfl/or lh« user receives sometimes a customer- 
service volunteer ''restore'', which musi be c^ecu£ed ^uh|f bnd w ^"** time-wasting. Some systems 
support automatic-restore mechanism; bn t th^fpfc W wiSrfanjj for il i fferent licensors with unique security 
versa-versa. Moreover, a guarantee Lhat a lu^id-foundSBb a broken md-repair device cannot be used any 
longer as a second copy of the stored value, isiiot handled automatf rally. 
So the device of the invention has following advantages: 

v Conserving the saved values by u-nn-sfrnifij^fromu last/brufcvit device into a new device. 

v Easy request of the resto^'infO' . . . Jtioa ofa last/broken devi«> Lorn different licensors via a single Hub 

Web Service by a singLe^fipn (VI ick" ) at user's site and tnui-tf.'ning this information into the new 

(replacement) hardwara;d|vjic«j. 
v A safe method to ayofeiat luft-and found or broken-and-rep* ired hardware devices can be used 

unlimited eoaaa0^' l '° lwr dwaw deVice ' wllich re<*iv«s the restored information by the Lodang 

4 Appendixi 



a: 



4.1 References 

[1] CM-Box Backup, CodeMeter Architecture iDescripdon, Vorsioi i 1 .00 of 2003-June-10. 
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CM-Box Backup CodeMeter Architecture 

Principles of the CM-Box Backup 

1 Introduction 

[2003-Jra-07/mabu] 

CodeMeter stores all licenses into the hardware "CM-Box". That* s why this hardware represent a spedfic 
value, defined by the sum of the pu rebuff- price of oil diose licensee if the CM-Box is broken, stolen or lost, 
this value is lost too. This may be j bi j> low; for (lie owner of the CM* >x res. owner of these licenses. 

As solution, the CM-Box backup mechanism permits to save trw ccmusitts of the CM-Box to a file on the PC, 
which can be restored into another CM Box after the original CM-flo* is broken or lost. 

This backup mechanism is user-fa'cnclly hut conlaias fehes risk of cheating- a user ioHfe. claim a broken CM- 
"Pox, which works still properly and so trying to get illegal copies ul* Ll m storedK^es!%ie backup 
mechanism of Che CM-Box rniplerm nfc- several features which reduce sporadic 'fikelffig an$iavoid 
systematic cheating. A1J basic and vxtnndprl feature arc explained in »ext AaptesrsT JfF ' 

2 Principles of the CM-Box Backup 

[2003-Jun-07/mabu] 

The foEowing chapter describes the principle work of the CM-t?ox Dai k-up^Jpe CM-Box Backup can 1 
described by fbllowing basics and highlights: ^''^j jjt 1 

BJ Backup file created by User ^•ffe ^ 

BIB Restore fully controlled by Licensor, m>L WTBU-SYSfEMB 

KI Licensor can decide restore policy t ! ^ 

IS Licensor sees qnly own licenses f * • * 

IS Restore process is single-dick artfou for user- ' $ . 

B Backup file cannot be manipulated "ft H "j** 

PI HiddenDaia PIO axe encrypted ! * " 

IB SecretDaia PIO axe no part of backup, i ( r 

fflii Restrictions for IH backup « 

fflt Broken or lost CM-Boxes can bi»Jorkfc*d < ! - , 

US Cheating using the backup/ res I ore ihrchajjosrn is limited 

W Platform for general license tifu \bf e r *§\ 

All these topics are explaine<$Sn1ne sublet juent chapters. 




2.1 Backup F||p^eated by User 

[2003-Jun-lO/ma^} W' 

,..5yg.#fe is alWays created sil User's Site. It is a XML fiiv! which can be copied without any 
restrictions from orieTPC t^Sother. 1 1 nmtajns the. Box Information 5L ucture (Serial Number, Serial Key, 
CM-Box Version etc.), th£iJFI (restrictions see chapter Z9, page 7) and the contents of all Firm Items, AH 
these information blocks may be analyzed soparately and can also splil into several XML files. 

The CM-Box Backup may be started manually by the Usur via the CM Web Admin dialog. It may also be 
started by the CM-API and automatical ly wiihin a time interval which may be specified by the User. 

The storing of a single Firm Item with all owned I Yoduct Items needs lypicaHy between 30 ms and 60 ms. So 
creating a backup of 500 Firm Uerns in the CM-Box needs about 30 sen i » ids. 

The CE5 (Central Execution Service) main lain* a list for each CM-Dox winch defines for each stored Firm Code 
when die corresponding Firm Item and till its owning Product Ttenvr are stored to the Backup File. One or 
more of the following options are supported : 

(1) After any Remote Activation of the l ? irm item 

(2) After a specific time interval in seconds resolution 
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Principles of the CM-Box Backup 

(3) When the user presses the Backup button manually in the WebAiimin 

The default setting is all three options acl Ivc; (2) w«h an interval erf 1 day. If the Firm Item is not defined for 
restoring by the Licensor, then ail Dir. •<• options arc inactive. 

* fe A s * or f dina CMBackup maintenance WBCfile in XML format The User can modify its contents via 
the Web Admin console or roanua J Jy by a XML or tux t editor. 

2.2 Restore Fully Controlled by Licensor, not WIBU-SYSTEMS 

[2003-Jun-aO/mabu] 

The restoring of the backup data- Inc. transfer or Licenses from a hoken or lost CM-Box into another CM- 
Box is handled by a sequence of A4(Utt X Firm Items aixd Adding L'rothicl Items Kemo#^nv a tfon operations 
For both operations, the FiimKeyii. riK^uiivd and ihts is only kno«v„ I.y the UcAr w&ch ownfthe 
corresponding Firm Code. W Iffl.dg' * 

Thaf s why itis principally im pos «ibk- „ u ,t WBl /-SYSTEMS, a TraU*r or a%jdnc Lckup ctmpany could 
manage the restoring operation. J3ih, 

The Restoring Operation is bandied automatically by CM-Talk and rscdfeMt Ucei&oVs Site bv the tjcensa 
Generator. The Restoring is describe ami cvntrolleU by the PAD {^WcHv^^Zn) 

K a Licensor decides to support a Kcsiorin C of its Firm Hems, it set; the URL ofl^le'correspondine License 
Generator as 3d substring of the Firm Toxi of this Firm Item. If this siring ia.6ripty or not specified, no 
Restoring is supported for the corresponditiij Firm Item. A /»Sr 

v • P 

2.3 Licensor can Decide Restore Polfey- 



pOOS-Jun-lO/mabu] f & 

r : 



The Licensor can decide how the Kesiorin,; is ifandle'dby spJific PAD {Product Activation Description) 
settings. Following variants are avttilni»l<i: !» 1 '• r ' 

'Wffi J;- qjj* 

IB Full Restore without restriction?; lor a HiteJtem andjkll of ife Product Items (with the restriction that 
5ecretData PIO cannot be restenviJ, seh chapter 2.8,,page 7). 

SI The Restore is restricted to the I'irm Horn anJ'&ome of theProdnci Items. 

K Within the Product Item, the currcni valuta Unit Counter i* uoi completely restored. 

The last point is usefial becauie % Uun- «:uu]*send an old Backup wfih a much higher Unit Counter value 

than really exists in fhe brokeV^iast <"M-Bo*. Therefore the agy lockup _ the time difference between 

the creation of the Bactop^L It thfe ciirmii lime may influence the derive of Unit Counter reduction. 

For all other types of FjOfffx a speri nl storing not required bccniiM their contend cannot be modified 
without the control of ij^%fcenBo<,(cxcopl LteerDnta J'lO which arc not protected). 

The degree of Ur|t Counter reaction fan bu set by a linear modeJ Km ween two limits; 

» The degree Jl&c^oft^Then lh« R* ku p is identical with ihn cu t tent time, named as 
MaxUnitCounterRespeDcgrce mid a lime distance when Qui induction starts, named as 
MaxUnitCounterRestoreTime. 

W The degree of reduction far th<> m^imum peniutted time disianci- between the Backup and the current 
time, named as MmUnitCountvrKet toi eDe^ree and MinUnitC owuterRestoreTime. 

If a backup is not older than the AfaUmtG>nnterReslPri:Time, the Unit Counter is 100% replaced. 

If a backup is older than ihe mnUnUO>it»ivrRe$torcTvm f the Restoring r»f the UhitCoujifer PIO is done but the 
Unit Counter value is set to 0. 
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A Licensor has set following; Unit Co unte r Restore parameters. 
SI l^UnitCoynterteslQnVvtfre = 80%, MnxUuHCfiuntcrRMliwTime » 1 day. 
H MinUmtCotmierRestoreLh^rcc - 10% MinUnitCountcrRL\ito>rTitw> = 9 days. 
Let a Unit Counter with value 1 000. Then it is resiored to: 
«fi 1P0O when the Backup was done today, closed to the current time- 
88 800 when the Backup tvas t7ie backup was yesterday 
M 100 when the Backup W0b done 9 days ago. 
US 0 when the Backup was done 1 1) days ago. 
W 713 when the Backup was done li days npo. 
OH 450 when the Backup was done 5 days ago. 
M 280 when the Backup w,i* done 7 days ago. 
(1 18S when the Backup whj> < lonp days ago. 



The algorithm to calculate a degree willibi tiie time interval between MnUniKlf^tfrR^toreTims and 
MnxUnitCouriterRzstorzTimeis: Hvjj- 



r # 



As a User-friendly component^ the result nt Hie "Unit Counter is rou 

2.4 Licensor Sees Only Own Licenses 



n tin AfiB thenex* integer value. 



[2003-jun~l0/mabu] , ^jj* 

The User has created a single CM-Bux backup file, but thij'tejle is not svinfc to the licensors completely: Only 
that part which describes a specifk Firm riom with aJt owning J Voducl [terns is transferred by the Web 
Communicator to the Licensor as inpul value for tho Re^to^e operation, 

This method avoids that a Licensor ran dfcewer I?y an^yzdn^thc Bad up information which other products 
are licensed by a specific User. § -» ij ] ^ ^ 

2-5 Restore Process is Singly Action for User 

[2Q03-Jun-10/mabu] ! -.. 

If a CM-Box contains licenses from nutny I arc^prs, each of that Licensors contains a separate Restore 
request via CM-Talk and iesendg.&e rcqijirccEfeemntc Activation operations to the new target CM-Box. The 
User initialises this operatio^ljw^ila single click lo the tictckuj? bulLon in the Web Admin console; optionally 
the User can decide Ihatnot^flfceiisi-K ut the Backup are restored; possibly if he or she wants to restore 
Licenses in several CM-BoxJiSiBi? 

The Web CommunicatoSi!^y4niti^tp the Restore ••equeste to many Uu-tisots at same time, so the Restore 
operation is started^^lel whidj*aves in contrast to a sequential sending of requests a lot of time for the 
User. # -m ,J i»* 

■ %# j# 

2.6 Backup Filebannot Be Manipulated 



p003-Jun-10/mabu] 

The Licensor must have the connrrnni inn ti \ the U/;er lliat the sent Backup sequence of the Firm Items and 
Product Items is real and not manipu Jdtvd. This ?s done by signing the backup data with a hash code using 
SHA-256 within the CM-Box. The hash code is then AES-enciypted by Hie secret Firm Key and appended as 
16-byte TVB to the Backup information. Pecnuse die Firm Key is only I nownfor the Licensor/ no 
manipulation is possible - even W1H U -SYS i'PMS could not create a signed Backup sequence of wrong data. 

Each Backup sequence for a Firm Tfcem includes also flic three time-values of the CM-Box (Certified Box 
Clock, Running Box Clack and System Hon Clock) and the Serial Number. So using- a Backup structure of 
another CM-Box or of another time is not possible. 

Version of 1 0, June 2003 6/1 1 

Confidential, created at 10. June for WIBU-SY5TEMS AG 

Empf .zeU:: 30/ 12/2003 12:29^; — ^ - Empf .nr.:755 .PJ)19. 



30/12 '03 DI 12:29 FAX +49 721 8301313 



DURM & DURM 



EPA MUENCHEN ©020 



CM-Box Backup CodeMeter Architecture 

Principles of the CM-Box Backup 

Moreover the encryption gf the hash of the signing dues not depends only of fee Firm Key but also of the 
Serial Number, the Firm Up data Counter in the Firm. Item and the cimvnt time in the CM-Box (identical 
with System Box Clock). 

Hie secret Firm Key is no part of the "Biioku p sequence 

A big advantage of a signed and xruuiipu tat ion-free Backup sequence is that there is no requirement for the 
Licensor to save an own backup of all created licenses. The Licen&ur can do this and even use such 
information for a double check; but there no technical nor security lvtison to do that 

2.7 HiddenData PIO is Encrypted 

[2003-Jun-lO/mabu] 

Typically all data in a backup structure are readable. Thk information is not seere^kr^''^^ the 
analyses of the backup structure. # |yjfiF r> ^ 

One exception is a HiddenData PIO: In contrast to a SecrelOata PIO, Ihoy ca^ifee paxt ! of the^&ckup; but in 
contrast to all other PIO, the information is encrypted by AE5-CHC The «||ffl?*^y is ide^fical with that 
which is used to encrypt the hash of the signing (sec chapter 2L6, pa^p U) (BwBpeKud^Ai the Finn Key, Firm 
Code, Firm Update Counter, Serial Number and time when the backup wWcreat^^ 

' . . * 

2.8 SecretData PIO is No Part of Backup * * 

[2003-Jun-10/mabu] ,, i jfa 

In contrast to all other PIO, a StmtUntu PIO cannot be parf o^jg backup. Such data may be created randomly 
within the CM-Box and should be always .secret oute1de.of the CM-Bus, even for the Licensor who creates 
the Product Item which contains the bcctrlDnla PI O. , _ ' $ 

l : w ! 

The PAD {Product Activation Descriptirm) al L joqjs&dfr'fc Site permits {wo options to restore a SecretData PIO: 
103 The PIO is not restored 1 1 ' \ 5 ' 

ffl The PIO is restored with fixed data, random data or altombinntmn of both. 

2.9 Restrictions of 1FI Backup r 

f20D3-Jun-10/mabu] I, ^' 

The User can do an own BacS^'olf Us I HI (Implicit Hrm Item). A local application (not available in the 
moment) can restore the Usj^a^ttalod UPT (Usisr Product Item) and oil Product Items with a higher 
Product Code than that o£ .mel^T into another Clvt-Bux. Instead of l! m Firm Key of a normal license, the 
User Key is responsible^^ the* daia hash and encrypting the / ftddenData PIO. 

A security risk f or Jta^s^is ^encryption of RiddenDntaTIO m a Ul'f if the User Key is not the UK {User 
Jndividuol Key) hm^s^CR {^serTComwnn Kay): The UCK Key is available for WIBU-SY5TEM5 and also used 
during the Lock^fPj^^ 2.\U page 7). 5o il would be principally possibly for WIBU-SYSTEMS 

or for a Licensor (after receiving the IK'K for Locking to decrypl LI m HiddenData PIO in the IFI backup. 

To avoid this risk, a Backup sequence of the IFI (Implicit Firm Item) i\m only be done if the User Key is the 
UIK QJbst Individual Key); the creation of flu* (FT Backup .sequence in the CM-Box fails if the UCK {User 
Common Key) is stored as User Key. 

2.10 Broken or Lost CWI-Boxes can be Locked 

l2003-Jun-10/mabu] 

The CM-Box Backup and Restore mcdwrusm is friendly for the Iferr but could also be used for 
marupulation: 

KB A User creates a valid Backup tfecjuimco of a CM-BOX "A'\ 
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M The User claims that the CM-Box " A" is broken or lost but this is wrong. 

M The Licensor creates a Restore of l\a License from the Backup Sequence into a new CM-Box "B", 
The User can now use two licenses: r ll wt in CM-Box " A" and that in CM-Box "B". 

There is no chance to avoid this: Because am important feature of CodeMeter is the offline-use of a CM-Box, 
no Online-checking is possible lo chticW lhaL CM-Box "A" is really lusl ur broken. 

The same risk is when a CM-Box is stolen - ihe owner receives a ce$(on» into another CM-Box, but the thief 
can also use the licenses in the stolen CM- Kux. 

The first chance to detect a broken CM-Uo* which is not broken or a stolen CM-Box at the Thief s Site is any 
online activity. CodeMeter requires such online activity for Remote Ariivafcion via CM-Talk and for setting 
the CIS (Csrtifisd Time Stamp), 

As solution, CodeMeter supports a Locking mechanism to lock a broken or losfcd^fe whenit is detected 
within the Internet during Remote Actfvution or Certified Time Stamp Fonow^#|iecfi!^iism is used: 

M l£ a licensor creates a Restore, iL bcis thu signed Serial Number of the Bad^p'^quen^aAto a local 
Locking list %^ j>' 

S* When the User specifies a CM-Box wiiii the some Serial Number rt^ajffifer lElem<j^ 2 Artivatioiv the 

Licensor detects this CM-Box as broken or lost and rejects the FejuoB^&vjttfltf This is a local activity 
which is independent of the centralize d locking management by WffiU-SYS^pfelS. 

©A 1 

105 As a second operation, the Licensti r sends flu: Serial Number of lln; CM-Box, for which the Backup 
Sequence was created, to WIBU-SYSTFMS or an affil iated partner for gMBox Locking Management; 
This CM-Box is a candidate for lost broken ov stolen. ^, ' 



This Locking instance checks whether the Request fot;Locking am\e from an authorized licensor. If so, 
it is checked if the CM-Box with this 5erial Number is aHgady lockrd. 

If the CM-Box is not locked, a Locking Sequence] is^reated and ssel into a database which can be read by 
authorized Licensors and Certified Tune Server Palmers, i 

Each Licensor or Certified Time Server I •axffieto dowrdpSi t] 



Each Licensor or Certified Time Server I *asmc^| download this list of locked CM-Box - all of these CM- 
Boxes are declared as broken, stolen or losfejj^ the Us^'as original Owner. 

If a Licensor receives now a xe<nu*l for R&to te Activation or a C >rtified Time Server Partner a request 
for a Certified Time Stamp, it mrclicb ihe SeriaPNu ruber or itu.' la rjjet CM-Box in the Locking list 

If the target CM-Box is not deflated as locked! ihe operation cnnllnues as usual. But if the target CM- 
Box is detected as locked, d\e,I Jcumoj ur fljte Certified Time Server partner sends the created Locking 
Sequence to the User, ihe^jeiJ CnmmuniCabr interprets this cum n tand, sends it to the CM-Box and this 
is locked - it caraiotloiffijar ^iJhi'd for any encryption or a u Humiliation, even the most PIO data cannot 



be longer read. ^ 

Sometimes it may be that^e,Jockin^ tails: A hacker could be a Ucviumr of WIBU-SYSTEMS and tries to lock 
all CM-Boxes in the fiebiJ%jiS&i wftfrh hi- or >he has reemved a Backu p Sequence. CodeMeter reduces the 
limit of such a crimip^jrflby two fcnhirrs 

ffil The source %sucjil wror^ockmi; requests can be found by authentication of the licensor and 
eliminated. ''W jfift' 

M\ WTBU-SYSTEMS cartailso unlock <i pivvlrjusly locked CM-Box. Thif.is an operation which is handled 
exclusively by WIBU-SY5TEMS; il if? not planned that a Licensor can do this too. 

2.11 Cheating Using Backup/Restore Mechanism is Limited 

[2003-JuxirlO/mahu] 

If a User knows about the details of CM Box Locking, he or she could sivoid any online use with the CM-Box 
which was claimed as broken, lost or stolon. He or she could buy many CM-Boxes and try to repeat the 
Backup /Restore mechanism from one CM-Box to the next one to rcret v is a lot of licenses and try to sell them. 

Such a criminal act can be avoided U a Licensor stores a 1 1st of Serial Numbers which are a target of a Restore 
Operation, If such a CM-Box is claimed <w broken, lost ot stolen after .i Nhort time interval and it is asked for 
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a Restore into another CM-Box, the 1 ,ic.vi isor is alarmed and can stop I he automatic repeated Restore-Frocess 
until evidences are available about ihe owpici of tills CM-Box, its usiiijj practice etc. 

The Repealed Restoring Atert List is nuuia^ucl by the FAD JVogrammer at Licensor's Site. The Licensor can 
specify two parameters: 

09 The number of maximum Restore Ctycrd tioits via a chain of CM IJuxes within a time interval to send an 
alert 

Uffl The number of maximum Restore O perations via a cliain of CM Boxes within a time interval to stop the 
Restore operation automatically, 

2.12 Platform for License Transfer 

[2003-JurvlO/mabu] 

The Backup/Restore mechanism can ais>u be used to transfer a Licen&y irom CM-BWto and&er. The 
difference between a Transfer and a Region: is thai fur a Transfer t hi; CNt-^o^whidn wasftip^original 
location of the License is not broken, Ural or sLolen and is no candidate* lor^W^hg (see|^)f§pter 2.10, page 7). 

The License Transfer is very similar to the backup with the difference lli^pl ^^irm-J^m is deleted 
completely in the CM-Box of the pr^viuus location before the Badku p i,s ^ecutedl^big advantage is that the 
Licensor may not backup the License during the Transfer because this fr&ie r^Snsibilxty gf the User- 
Such a Transfer is executed in following steps: , t 



W The User wants that a License is Irnusicr from one CMS%jk " A" to i«$ther CM-Box "B' 
H The User creates a Backup Sequence of CM-Box ; 'A". \k ™ 1 , 
Rfi The User sends the Transfer Request to the Licensor (srm&lar to a Backup Request), specifying the 

Backup Sequence of CM-Box "A" and the CM-Uox]|B w information (Serial Number etc.) 
OK The Licensors sends a "Delete Firm Teem" conirrtand fce CM-Box " r\" and deletes the license there 

completely. ^ ^ \ A i J 

M The Licensor sends a Restore Sequence to me C&f-Box fw , 

Ah 

If any operation fails, the User can reseml the InloiiiiaH^iHiiat the Firm Item is deleted in the CM-Box ''A", 
the backup of the contents and the License Traijjpfer canjbe completed a^ain by the licensor. 



nua 



A SecretData PIO cannot be transferred because Ihis is a principle restriction of me CM-Box 
Backup/Restore operations,^- security reason (see chapter 2..*$, page 7). 



The Conteril|pf a Backup File 



[2003-JunrlO/mabu] "J^ 

II' a n-i ' 



4 Implementation at User's Site 

P003-jun-10/mabuj 
ITBA] 



Version of 1 D. June 2003 9/1 1 

Confidential, created at 10. June 2003 for WIBU-SYSTEMS AG 



EitiPf vzeit:30/12/2003 12:31 ■ ,. . Enpf.nr,:755 .R.022 



30/12 '03 DI 12:30 FAX +49 721 8301313 



PURM & DURM 



EPA MUENCHEN Ig]023 



CM-Box Backup 



CodeMeter Architecture 
Implementation at Licensor's Site 




.._N 

r . ■ - v / 



Backup Operation y 

— V 




z :-- r - 

Baekup Tik- 
(XML. ^CmBacKup 



Backup Fife 
(XML, ,CmDacKup | 
1*130D.wbr/) 



Bar;Kup Conliol 
rile , 



Figure 1 Restore Process al User's Sila 
[TBA] 




Backup rile I 
(XML. .OmBackup I 
•MP.00.wnc") | 




Jfea /-ifcaeKup 
| ) ^Context 

1 1 OTihfonralion 



RsbIoto 
Remote 
Activation 



^Igure 2 Rasora Process at User's Site wiltt wmmunicaUon lo licensor" a Silo 
[TEA] 



5 Implementation at Licensor's Site 



[2003-Jun-lO/mabu] 
[TBA] 
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7 Appendices 

7.1 State of Current Version 

This document describes implemented technology but it \s under dlsiui^on. 

7.2 Contact Address 

If you have further questions or coinnittivfcv pleasu contact: 



WIBU-SYSTEMS AG 
Website http:7 J xvTvw.vyjbu.co m 
E-Mail info@vdbu.coTo 
Fa* +49-721-93172-22 
Phone +49-721-93172-0 
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Patent Claim 

A method to restore data, which is stored in a broken computer hardware device by 
transferring them partially or completely into another hardware device of same type, 
the method including a complete backup mechanism, characterized by the following 
steps: 

The hardware device stores licences from different licensors. Each license can only be 
created by the licensor as owner. The owner of the hardware or WIBU-5YSTEMS 
cannot store such a license. No other licensor can store a license of anywhere else. AU 
these restrictions axe handled by a mix of syirunetrie rind asymmetric (public key) 
encryption methods and by private keys- 

The stored licenses can be saved by the user as owner uf the hardware into a file. All 
price-relevant information is stored. This information Ls not encrypted (except some 
special secret data) but signed int^ivid^lally for each license in dependence of a secret 
key, delivered by the licensor. The signjng is done by n hash via the data which is 
encrypted by that secret key and sLored in the file. The signature is also influenced by 
the Serial Number of the hardware device (which is unique) and by the current time 
(second based, hardware device internal), so that no Lime manipulation is possible. 

The user can do this backup as frequently as he or she desires or how frequently it is 
required (for example after the counting information for pay-per-use is reduced). 

This backup file is not required until the hardware device is lost or broken. Then the 
user buys a new (typically empty) hardware device, which should receive and store 
all licenses (which must support restoring) from the broken hardware device. 

Then a software application outside of the (now unusable) hardware device sends 
the backup file as a sequence to the Hub Web Service by a single command form the 
user ("single click")- This cenLral Web Service knows I he Restoring Web Services of 
all licensors who supports such o restore operation. The Hub Web Service analyses 
the received sequence and sends each license, which supports the restoring, to the 
corresponding Restoring Web Service. These create new sequences, compatible to the 
backup sequences, which are sen I to the new hardware device. That's why this 
device receives the new sequences from different Restoring Web Services. 
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